Ensure correct permissions are used on each query

2022-06-26 14:28:55 +01:00 · 2022-06-26 14:28:55 +01:00 · 34ba79428c
commit 34ba79428c
parent ccdce709f2
5 changed files with 20 additions and 11 deletions
--- a/lib/src/dbs/statement.rs
+++ b/lib/src/dbs/statement.rs
@ -82,6 +82,11 @@ impl<'a> Statement<'a> {
 	pub fn is_select(&self) -> bool {
 		matches!(self, Statement::Select(_))
 	}
+	// Check the type of statement
+	#[inline]
+	pub fn is_delete(&self) -> bool {
+		matches!(self, Statement::Delete(_))
+	}
 	// Returns any query fields if specified
 	#[inline]
 	pub fn expr(&self) -> Option<&Fields> {
--- a/lib/src/doc/allow.rs
+++ b/lib/src/doc/allow.rs
@ -19,12 +19,12 @@ impl<'a> Document<'a> {
 			// Get the table
 			let tb = self.tb(opt, txn).await?;
 			// Get the permission clause
-			let perms = if self.initial.is_none() {
-				&tb.permissions.create
-			} else if self.current.is_none() {
+			let perms = if stm.is_delete() {
 				&tb.permissions.delete
 			} else if stm.is_select() {
 				&tb.permissions.select
+			} else if self.is_new() {
+				&tb.permissions.create
 			} else {
 				&tb.permissions.update
 			};
--- a/lib/src/doc/document.rs
+++ b/lib/src/doc/document.rs
@ -39,6 +39,10 @@ impl<'a> Document<'a> {
 	pub fn changed(&self) -> bool {
 		self.initial != self.current
 	}
+	// Check if document has changed
+	pub fn is_new(&self) -> bool {
+		self.initial.is_none()
+	}
 	// Get the table for this document
 	pub async fn tb(
 		&self,
--- a/lib/src/doc/event.rs
+++ b/lib/src/doc/event.rs
@ -13,7 +13,7 @@ impl<'a> Document<'a> {
 		ctx: &Context<'_>,
 		opt: &Options,
 		txn: &Transaction,
-		_stm: &Statement<'_>,
+		stm: &Statement<'_>,
 	) -> Result<(), Error> {
 		// Check events
 		if !opt.events {
@ -26,10 +26,10 @@ impl<'a> Document<'a> {
 		// Loop through all event statements
 		for ev in self.ev(opt, txn).await?.iter() {
 			// Get the event action
-			let met = if self.initial.is_none() {
-				Value::from("CREATE")
-			} else if self.current.is_none() {
+			let met = if stm.is_delete() {
 				Value::from("DELETE")
+			} else if self.is_new() {
+				Value::from("CREATE")
 			} else {
 				Value::from("UPDATE")
 			};
--- a/lib/src/doc/field.rs
+++ b/lib/src/doc/field.rs
@ -13,7 +13,7 @@ impl<'a> Document<'a> {
 		ctx: &Context<'_>,
 		opt: &Options,
 		txn: &Transaction,
-		_stm: &Statement<'_>,
+		stm: &Statement<'_>,
 	) -> Result<(), Error> {
 		// Loop through all field statements
 		for fd in self.fd(opt, txn).await?.iter() {
@ -56,10 +56,10 @@ impl<'a> Document<'a> {
 				// Check for a PERMISSIONS clause
 				if opt.perms && opt.auth.perms() {
 					// Get the permission clause
-					let perms = if self.initial.is_none() {
-						&fd.permissions.create
-					} else if self.current.is_none() {
+					let perms = if stm.is_delete() {
 						&fd.permissions.delete
+					} else if self.is_new() {
+						&fd.permissions.create
 					} else {
 						&fd.permissions.update
 					};